Years ago I got FUCKED when I used Authenticator and bought a new phone. I just assumed everything would be backed up to iCloud, like everything else. I lost access to accounts which were almost impossible to retrieve. Millions of people have been screwed thus, turning people away from 2FA. I can't believe it has taken this long to enable sync.
Our onboarding docs specifically tell employees to NOT use Google Authenticator precisely because of this issue. I have no idea how Google let this fester for so long, literally if even one (1) person over there was using it and got a new phone, they should have known about the issue.
Yeah, same with my company. "DO NOT USE GOOGLE AUTHENTICATOR" is littered throughout our Intranet and onboarding docs in bold letters with recommendations for different options. And people still use it and lose their codes all the time.
Now it's tied to the Google Account which means it'll be tied to either their personal or work account and now we have to worry about personal account bans removing their 2FA or when they leave the company, our suspension process killing personal 2FA that were synced via the wrong account.
The app has supported bulk QR code export and import for years. This makes it easy to transfer to a new phone, and relatively easy to make physical backups.
Which only worked if you had both phones working at the same time... I'd bet a sizable portion of new phone enablements are due to losing the previous phone irrevocably.
When doing a factory reset because of whatever reason, this becomes an issue as well. You cannot take screenshots of the bulk export QR-Code on Android because of FLAG_SECURE, so you need to work around that and take a photo of the screen with a different device to import from later.
Also, as of last week, there existed an issue with special characters when trying to import and the app would just freeze or not recognize the QR code pattern at all, so you better had backups of all your secret keys.
Both issues made me switch to Aegis and appreciate my past self backing up the secrets with KeePassXC.
I have long migrated to Aegis and it is pretty awesome. Backups. Copy & Paste. Encryption. Auto-upload to Nextcloud. Better Interface (with names!). etc.
You'd save the QR code at the time you first used it on the old phone, and not wait for when you needed to transfer it.
For me, I'd usually be on the desktop when setting up 2FA anyway, so I'd just save the QR code from the desktop browser ("Save image as ..."). When I needed to set up a new phone, I'd open the saved image on the desktop and point my phone at the screen.
That's an absurd expectation. First of all, many users don't even have or use a computer. Of course, I personally do have one, but I'm often nowhere near one when I set up MFA on a new account. So then I guess I screenshot the QR code to my phone? But if I saved the image to my phone it gets stored in my photos backup anyway. Why would Authenticator not just back its own contents up, to that exact same spot, rather than me doing some crazy runaround that for some reason involves images?
Nope, you can't screenshot the page, so you can't save the code and can't send it to another phone. This means you can never trade in a phone for a new one and if your phone is lost or stolen you're locked out of all your accounts forever.
They actively added code to prevent you taking screenshots, which is insane but true.
I'm on iOS and I'm able to screenshot the QR code with version 3.4.0 of the app. Maybe the screenshot lockdown is limited to Android?
In any case, if you're trying to create a backup there are other avenues of capturing the QR code - offline digital camera is probably the most secure way of doing so.
Interesting - but not good enough. For the threat model TOTP solves, it is not absurd to want Authy-like functionality where codes can be backed up, encrypted, to a cloud service OR like Authone (?) which allows you to export the data to a file.
This is not a 2FA problem. It's a google problem, and the google problem is not limited to 2FA.
Do not use google-anything, for anything in production, ever. They make shiny products that depending on your point of view may be nice or just shiny. But their total solution is not a serious competitor to any of the major players. Any time anything depends on google, you risk it destroying a part of your business - yes, under a paid support contract.
I was doing a dc migration at a hospital once, and they used google authenticator. I'm waiting for the day some sysadmin who knows some dev who worked with some dev on an app that was banned from some phone that got resold, will cause all the storage, network, and sysadmins to lose remote login access to all their devices during a sev1 at 2am.
Incidentally, Signal works the same way on an Apple device. No backup. Lose your phone, and your entire chat history is GONE, together with all the media.
Apparently the authors of Signal consider backup to be less important than all the idiotic "story time" features and similar doodads.
I'm so much with you on this. I love Signal, but I'll never recommend it until it gets backup/restore. I have no clue why this is not prioritized over everything else.
Yep, I’ve been using Authy for years because of this. Before that, I would have a second phone with GAuthenticator on it and when I scanned the QR code to set up a new account, I would do it with both phones simultaneously to make sure I had a backup. It always struck me as absolutely ridiculous.
Authy used to share its SDK TOTP codes with attackers via account recovery, and no backup password was needed. SMS hijacking led to authenticator takeover on Authy SDK-using sites like Coinbase. Which is partly why Authenticator and co. were originally designed to prohibit secret backup.
If you damage your Android screen it is basically useless unless you have pre-emptively set up some kind of remote access process...
Twice I've had to spend hours manually resetting/renabling my 2FA after a phone was damaged, and sans buying a new screen just to get a backup of the phone, there aren't many other options.
(Similarly, this was the time I learnt that the UK gov does not issue backup codes for their 2FA and you just have to spend 45 mins on hold to have them reset it for you.)
Exactly this. I bought my current phone after I dropped my previous one and cracked its screen. I was only able to recover access to critical services because I have previously set up some Tasker automation connected to my Pebble watch, which enabled me to navigate the phone "in the dark" enough to turn on AirDroid, allowing me to screen-mirror the phone to the PC. Of course, all the 2FA tools have this stupid idea of blacking the screen when it's being mirrored - but fortunately, I was able to turn on USB debugging this way, at which point I plugged the phone in and used scrcpy to show a fat middle finger to Google and plain recover everything from Authenticator.
Now imagine trying to explain this to anyone outside of the tech industry. I imagine only a small percentage of software engineers and IT folks in general would be able to accomplish what you did. How easy it is to accidentally fuck yourself over with app-based 2FA is one reason I've been hesitant to recommend it to my non tech savvy friends and family. While SMS 2FA is a lot less secure, it's at least pretty much idiot-proof.
Yet this scenario (currently authenticated phone is gone) just seems a baffling concept to the people making these apps. I need to be able to make an offline backup for the day when the phone is lost or destroyed.
> and used scrcpy to show a fat middle finger to Google
Unfortunately Google has the last laugh here, because since Android 12 even scrcpy can no longer bypass FLAG_SECURE. Currently you'd have to start messing about with root and using some sort of Xposed and/or Magisk (?) module to disable FLAG_SECURE in order to be able to mirror that kind of apps with scrcpy again.
